'Vendor Email Compromise': A New Attack Twist

A newly discovered cybercriminal gang is putting a twist on business email compromise scams by initially targeting vendors or suppliers with phishing emails and then sending realistic-looking invoices to their customers in order to steal money, according to the security firm Agari. The researchers label this new approach "vendor email compromise."

The group, which Agari researchers call "Silent Starling," has been operating since at least 2018. It has targeted about 500 businesses throughout the world, compromising about 700 employees' email accounts along the way, the researchers estimate.

Crane Hassold, the senior director of threat research at Agari, predicts this new flavor of business email compromise attacks will proliferate because scammers have developed the ability to create authentic-looking invoices that can potentially produce a much greater windfall.

"We were able to get really good visibility into the overall attack chain with how these attacks occur," Hassold tells Information Security Media Group. "We know these types of attacks have been going on for a while now and have been increasing in frequency over the last year or so. The very ironic part about these attacks is that the original victim is not the ultimate victim that actually losses all the money."

Agari says most of the targets of Silent Starling are in the U.S., Canada, the U.K. and Western Europe.

Targets of the Silent Starling gang (Source: Agari)

Agari published its research about the Silent Starling gang on Wednesday, but Hassold says the company had already been in touch with law enforcement with details about these vendor email compromise schemes.

Other criminal gangs are taking similar approaches, Hassold notes. In August, the FBI charged a Nigerian man with helping to compromise the email account of the CFO of Unatrac Holding Limited - a U.K. affiliate of U.S. heavy equipment manufacturer Caterpillar. In this case, the suspect used compromised email accounts to send out phony wire transfers and invoices using the CFO's name, title, company logos and other information (see: FBI Arrests Nigerian Suspect in $11 Million BEC Scheme).

Brian Honan, president of Dublin-based cybersecurity consultancy BH Consulting, tells ISMG that for over a year he's been working with clients who have experienced similar scams, including companies receiving invoices where the banking account number has changed.

"In all situations the victims of the attacks were using cloud based email solutions and the criminals either phished the password from someone within the accounts department, or the person in the accounts department reused a password for their work email that had been compromised in another breach," Honan says, adding that he's advised client to turn on multi-factor authentication or block IP address from certain countries to curtail some of this activity.

It All Starts With a Phish

As with the longstanding standard business email compromise approaches, the Silent Starling group starts out with phishing messages that target company employees. But they focus their efforts on suppliers, the Agari research shows.

Most of the targeted vendors are small-scale operations that provide materials or services to larger companies, Hassold says.

These types of phishing emails are typically disguised as voicemail or fax notifications, urgent requests to check documents or notifications that credentials need to be reset following suspicious activity, the report notes.

Phishing email used by Silent Starling (Source: Agari)

If the targeted vendor employee clicks on a link in that phishing email, they are directed to a spoofed website designed to look like either a Microsoft One Drive or DocuSign page. The employee is then asked to input their credentials, and that data is then emailed back to the gang, the research finds.

Once the gang has the credentials, they then create a forwarding rule within the email platform, and copies of all messages that the targeted employee receives or sends are then sent back to the Silent Starling gang.

The group then spends weeks or months studying the emails and billing patterns to help craft realistic-looking invoices with proper logos, spelling and grammar that are sent to the vendor's customers. If those invoices are paid, the money is sent to bank accounts that gang members control, according to the Agari report.

"The [fake] invoices are for payments that are actually about to happen," Hassold says. "The timing is right and the payment is due. The only difference is that the bank account number has been updated, but everything else - the context, the timing, the communication from the supposed vendor, the invoice itself - all looks completely legitimate. And that's why this type of attack is extremely effective."

Nigeria Connection

Agari identified three members of the Silent Starling gang that have connections to Nigeria, Hassold says. That's why the Agari researchers named the gang after a bird - the starling - common to West Africa; the "silent" refers to the group's stealth.

Hassold estimates that there are at least eight to 10 other people working for the group.

About the Author

Ferguson is the managing editor for the news desk at Information Security Media Group. He's been covering the IT industry for more than 13 years. Before joining ISMG, Ferguson was editor-in-chief at eWEEK and director of audience development for InformationWeek. He's also written and edited for Light Reading, Security Now, Enterprise Cloud News, TU-Automotive, Dice Insights and DevOps.com.

Operation Success!

Risk Management Framework: Learn from NIST

From heightened risks to increased regulations, senior leaders at all levels are pressured to
improve their organizations' risk management capabilities. But no one is showing them how -
until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book
on the topic: Ron Ross, computer scientist for the National Institute of Standards and
Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37
- the bible of risk assessment and management - will share his unique insights on how to:

Understand the current cyber threats to all public and private sector organizations;

Develop a multi-tiered risk management approach built upon governance, processes and
information systems;

Enter your email address to reset your password

Already have anISMG account?

Forgot Your Password Message:

Contact Us

Already have anISMG account?

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing careersinfosecurity.in, you agree to our use of cookies.